CVE-2022-40664 - Improper Authentication

Severity: None2022-11-21

Security Advisories


The Shiro package is vulnerable to Improper Authentication. The doFilter() function in the OncePerRequestFilter class executes the filter once per request, even when forwarding or including via javax.servlet.RequestDispatcher. A remote attacker can send a specially crafted HTTP request to bypass security restrictions and gain unauthorized access to the application.

The Oxygen products incorporate Shiro as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Web Author v25.0.0.0 and olderNone Oxygen XML Web Author build 2022111708
Oxygen Content Fusion v5.0.1 and olderNone Content Fusion 5.0.2 build 2022121305





Severity: Critical

CVSS Score: 9.8

The Shiro third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40664 vulnerability description. However, the Oxygen products doesn't call the vulnerable code. For that reason, Oxygen XML products are not affected by this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 Shiro library was updated to a newer version that fixes this vulnerability.

List of Security Advisories